Analysis

  • max time kernel
    133s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 00:43

General

  • Target

    2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll

  • Size

    457KB

  • MD5

    2144112e6180ba6dac7514c4972d3360

  • SHA1

    e96159f89a6ec9653180df80f50e2c9b0212ff1a

  • SHA256

    397a06a8dfebd9cecab74cf9563017042fbf04050a8f368b2b2ac644643d35c1

  • SHA512

    f97a3d1fcb7134634213ddcf0c4b4eb27b8382e196e8fb428954ad2a105fd00b98ccc1febcded67f97fa3aa848139738e34d623f55de83745d92a65afd3948d2

  • SSDEEP

    12288:Ha+VWigpr73NMMlti+mK0BNpb1QNLfziqXfjk4JFy8BuxgPrxt:H7Vhu9MM8LbSLmWjk4L4xgTxt

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2680
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    87eefc28107f63d860c54dbbdc6e369b

    SHA1

    e5a80f9c7138bbd6a7158b5af6ccd72df5344474

    SHA256

    9b41918a548108a139c387d3849aaa8973870ae22e18aba0547de53424e8a729

    SHA512

    1d2f16e19bc3d9da91346a1539dc11c1576ea7a1c37dd1322c2fba3d914a17f6217c4317f43e363c7da591823a30d67b1ab1819d1d10a860fbf2b35e96bb15dd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    aeda25841a3a5493204581fb19327458

    SHA1

    0cded5c43fd3b57367d75d29f8dccbe3355fa5de

    SHA256

    1245a036ac6499bfe06516004b35d15b9e38ecb8e9afac92b2f416916167a190

    SHA512

    36afbad829dff941c809614dc4c4884a85ecd7adc9dd4f564893d542e8f788b3a7f69834fc5553896a27f4b9f0e124d83d9a8553cfbe7a3955b00e15033b8308

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f3082e81fb753b8e29feced3898ed38c

    SHA1

    d65a3725041e0b0d7cbb42128d90587f1cf9b11d

    SHA256

    8b1f03f220e3de56657c669145af55d9bb2f6b02cbbbc61bb7b63011750fd9c9

    SHA512

    c2c9c8f21d22aa1a3086bbbd63f16fc835564b0475c8448cca463b801fd02c4db31e77b4e5f66b3e59741ee60528707d4e84244c0b94fef2a66d06844a53abbf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    392507646027eb0543cf23706650778d

    SHA1

    38629496b8476794ecb5a1eb5f1398ca131ec2e2

    SHA256

    5cb4be28018020d6603850b1067ec77d673e7d162134d2c324e9495ec6e90b1b

    SHA512

    b445c6dce2795b5edfb6232822199b35652043d025a3c0b9fc8ee3f6903c03259b95b76a357d5140dcd71d5e8e05f531767256226341e8c1f479999cb5b5141a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f312a4d3480e3363e91f2af2e072d919

    SHA1

    538a532f69769f012c66600326cccfc7659cce81

    SHA256

    c6474d0812a735e314bf24acc148a60b5b95d6e7d6902a6b8b5d540b654e44db

    SHA512

    be85d26b3ab5e78109c82883b64b0fee2ce73cf1e99ff955b1e914dd2a2a9bbb4f0907d9b089098e19e8adbebda52f623cccaa76531a56c9e26177787d5809b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e556b1f46c55e9f794ae59e5dbe294a6

    SHA1

    1dde072271779851cb592d8f419050e9a50e45e0

    SHA256

    553020760f31b0cea862fa7d343865c67760b9e8aed2e8003eab9b5fb4c0474c

    SHA512

    0a81c52927ab10f5902524a8a45e2881401a984d12936275f3bd4596961dcbd440974ccd5fde8f71f706632db6b89cdb4a513bf1e3015164af66f3249b778d73

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7862b2e913bd2616334657027bd80218

    SHA1

    ec6fbed5ebff7323e70c5ad19131a231148d05b9

    SHA256

    ae3ab2424f88a42cf5b39b435cb0b9950159f72871a143296a7b68504b8751b8

    SHA512

    24fa2e757c7777643b5996b4b690c573974fe1e3359728de14f6f77af24782d580e16b3cbe8ab1afa9a19de49f16b44e54db3daa68085ede9d9bf584d8456811

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    60843e59ac6f4e26f30932ceacbb314d

    SHA1

    ddcf8ec145ab9de250d9197a9d43a599bdc977c2

    SHA256

    8a3a6dfe07bc4d0bf3bae3465f7c26de699bbf8bcc6a99a3b2ba7c16ea91adcd

    SHA512

    d30e90cccdb3f825e7c7a1bd658bab03a817b4788dc4bc352b3f1d4cc8b78b1042d4daa249d6ca6029bb50e596923745f2f9347576cfe8284d1dd529f1f80e91

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3d70cfb14a44f3609b101fbe041c70ca

    SHA1

    d96e0a2224c709c5bdde174dd67277a714e32855

    SHA256

    4b88f562ea79afa2226356ad7e3d03af7aa3e9e720ac39e2b9a5f426105cd72e

    SHA512

    ca698b41806b07a9fbe40289907ee5d85d8733e7efecba7c1a7f24508b00b4ab6db3d043425a4eb1b4e494a5c01f5234603b63f577008401b93b438c62b94938

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3377ddc56c021607a2f8f7e2ddd52bd2

    SHA1

    6fd98823bc3ca80db29194b72dfe6b0ff36a05dc

    SHA256

    727e89538eb144648fc1e3221cc01de5a21531e51898c709a63ca4b7e18fb645

    SHA512

    8af10d6b3d8d75dcc4dc17b648256ee894010ce6aab27d64bb89cecdb795eefd8d7d1fc114141b98329a6b8095bdbf011525109a4411221f48f36e9854e6599a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f06a4719b837ea8857182b94790e10ea

    SHA1

    bad2b0033d20f5c95dade7241822be524013bd61

    SHA256

    434745d6185b2190401e58ef4a4c598582c8c16129cdf275a3849f214e0a0f9d

    SHA512

    53b282e5d087928878bcfe4800c78833e4b026a95bf56e44c24de6bc8608a95c4185e19f2076a9f3f4fb1166ca77bfb6af0dff766c3a8ae0d4a925ffe9e13205

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f864f2f23c6bc136ab47787690e0b258

    SHA1

    bda60bcc4819252cfd68b63cb2a3e059037c07f8

    SHA256

    3a39d3cad6ffdedc8284d70ae35babee61c92f323c45d7b6658a7214b88f2140

    SHA512

    b1241871e0f6aa5a846f5de93cbfd92299501b7d483120fd42adbe9ae243627265f6fa9877d179df7b646a2b573d1a604ef78bfe428315bd078fdeeaf7648c98

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1ca3a73318a87bf566b2e99a0d4a83e1

    SHA1

    817d31dff056b0de3be670ae72f4cc64f8d80782

    SHA256

    6c97e33d75db80248d8f601c22a87163592fb11455a3e03e02ea2de4e44ebb4a

    SHA512

    e87a5e5e5e58cde4e798d71e5f4a8cda5ae9236056efc0725cd2aab66beb908321deadf99d20589bd555228b453207d805d191f8557ce7e547e0f8a0ae0469a0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5352f4a100f86287e310e272103c63f0

    SHA1

    37a7f351dfa27fdc65814a10b88a8fa5dd24e618

    SHA256

    712d3247b90c11f54f16a3a37033d4550e391122c39d8888b162b27c17afca70

    SHA512

    33641cf0431dd2cfe20980de55f01cacece0c3732a79078c838de4de8626e525167cfbc143a64536eb43373928bef5ca0dcb88859579fc5eee1a2e8ec9afc775

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5d4c829409bb0c680b2fe26ed4e7cf58

    SHA1

    fe3a608fa137d89f2a1885929775fe592f8bfdb7

    SHA256

    0ba0e55f7755021cd6b1d6c4594f2e305cf8010d94eb9c3cfbbac8bb1f554fb6

    SHA512

    21a747980e27bb610d0b3e87aad39ee2ce88428d260f8864511805d7039b5e75b9479a3a331993791a58d51f4d8952f4f0cb32f746926e8ef5bf8a5fc4295004

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bba77c4105f5ffb93f3612683c738d63

    SHA1

    bf0d435b1f374573c5c2549a5b478983d194f742

    SHA256

    52ab07b49731559a8f2501770220126ea244f975ce0b228edc892087524c4732

    SHA512

    b0df2e4209d33ac92ed6455bc447f3fff0fd2fbdee83a4ff6bb0d72578ed8d127d18c877f54b168c10d4d63a6942d209ba162fb3c2460ed4290ae9530d2e5772

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0c2e55cea6a73a85c7eb90fca4460021

    SHA1

    0ca54d54ec8155745ebf43d746880dad838f7fb3

    SHA256

    8640d689218efb2eb4573a8f1c7b0757fc3dc0fa0de49af75f0a53b6f4752ad7

    SHA512

    41a45d4e75f65c57916616d49f6fe7775e679903842cd34ed7734565db97fbf9a326ece3a8dd80dd4ce697051f677d5f23c0ca473573b4513cbc0fe46c2dc753

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a6eecfec18d73e1c2b287ac7e61304ce

    SHA1

    4d34fc2460318bda7cdec7227e6b7d8e916ec248

    SHA256

    09a6882b87a9546a750ac5309631f16a6bc262fedea3d92df96d3adaf21e354f

    SHA512

    ed9a3c448c337998a862e622f8f5e9a14c6981db7dcb4349c920a25f912fedca872ccc4796e0e51a09d83d11a3369617af70fa9b97d93fe6fe390ea9cad5e474

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6914814282cd406c6b4030d9415f8e2a

    SHA1

    a03ebe5d4e9742301f9f9862509eb69fc1f3fed7

    SHA256

    a3a21296f9ad39bbf43ca19415215e98711674d6a48f4870a98976e9f473f527

    SHA512

    2c31fce401d8f3963c4f8b288fc462f8799677ccc05288ea61106372f2655aa2f05eca629ed8f7fcc0b84b13ab62b32a8dd9d3307a9542de3b20a708a7525bb7

  • C:\Users\Admin\AppData\Local\Temp\Cab2A5E.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar2B30.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    84KB

    MD5

    5a4990694e4324c26ace7339664fc4b6

    SHA1

    e1d54ebd9223f127ee7a5cb00f1be151bb49548b

    SHA256

    99e40a3654d832bb4090fdb7f6eb62abece0109d88c87651835b74af4bcb197d

    SHA512

    7f41f0312325f0c09c7b444e237538e38f5e4578111e3f4277b266a1f107791a5ec1a670c6911befe8a3286ff521471cc67c2eac07f3d3dcd29b4081f07a3450

  • memory/1668-1-0x0000000074630000-0x00000000746A8000-memory.dmp

    Filesize

    480KB

  • memory/1668-2-0x00000000745B0000-0x0000000074628000-memory.dmp

    Filesize

    480KB

  • memory/1668-4-0x0000000074630000-0x00000000746A8000-memory.dmp

    Filesize

    480KB

  • memory/1668-5-0x0000000000170000-0x0000000000189000-memory.dmp

    Filesize

    100KB

  • memory/1668-16-0x0000000074630000-0x00000000746B0000-memory.dmp

    Filesize

    512KB

  • memory/2784-21-0x0000000000050000-0x0000000000051000-memory.dmp

    Filesize

    4KB

  • memory/2784-24-0x0000000000410000-0x0000000000419000-memory.dmp

    Filesize

    36KB

  • memory/2784-23-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2784-25-0x0000000000401000-0x0000000000410000-memory.dmp

    Filesize

    60KB

  • memory/2784-22-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2784-18-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2784-12-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2784-13-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2784-19-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2784-15-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2784-14-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2784-17-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB